#SecuriTay 2017 & the Future of An Industry

On Friday 24February I battled the elements of Storm Doris to head north of the border to one of the UK’s premier security conferences, Abertay University’s SecuriTay.

Held in Dundee, and now in its sixth year, SecuriTay is organized by the Ethical Hacking Society and “aimed at anyone with an interest in hacking and information security”. Having had the opportunity to cover the likes of 44CON, Steelcon and BSides conferences around the world, the concept of the “hacker conference” is still a crucial part of the infosec industry, offering an opportunity for the researchers, students and new speakers to get in front of their peers.

At SecuriTay, the talks ran into two tracks in a packed day of content. Opening the conference with the keynote was Abertay University graduate turned NCC Group senior security consultant Gavin Holt, who presented on Active Directory and “adventures in pen testing Windows Estates.” Explaining that Active Directory is used by everyone from small businesses to huge global institutions, Holt ran through a number of obfuscated case studies of examples where Active Directory had been done badly.

He said that he had come across “weird things being shared”, like shared access to a C drive, two types of admin account, or users sharing activities like finance. “From a sys admin point of view it makes it hard to know who did what, and how often who did what,” he added.

In the examples he gave, there were instances of password and usernames being the same but being used by business-critical software, how a shared file contained complaints from the Information Commissioner’s Office, how a tool was built to pipe passwords into utilities and despite having access to a domain as a standard user and an unusual value being Base64 encrypted, it decoded to a password reset.

With everyone splitting into two keynotes fresh with the advice on changing passwords and there being no decent alternative to Active Directory, I caught up with Holt later on and asked him if one of the problems was a lack of an alternative to the Microsoft option – he agreed.

With the choice of two tracks, I opted for Peter Cowman’s talk on “Malware in Memory”. Cowman is one of the final year ethical hacking students at Abertay University, and he presented on the emergence of fileless malware.

He explained that with fileless malware, there are no files sent to the backend hard drive, and it is most commonly registry based. In particular, he pointed to the Democratic National Congress data breach as an example of this, and spotting it involves looking for registry keys and permissions, and for “threads that are not supposed to be there and then there is something suspicious to pick at.”

Lunchtime in the Students' Union came and went (for me the first time in the Midge Ure-opened building) and after I attended an excellent talk by Karambyte co-founder Jamie Hoyle on “IoT Security from the other side.”

Breaking down IoT vendors into those who own their own IP, product design and manufacturing, and those that mass-produce but use white-labelled hardware without owning their own source code, Hoyle said that reporting bugs to the tier two vendors can be hard work, let alone getting them to acknowledge and fix the issue. He said: “It pushes responsible disclosure out of the window as often they don’t care as long as they are making money.”

Describing the “IoT gold rush”, he said that “security is treated as IT as it doesn’t make money so why rush to it”. Also no-one assumes they are a target.

He also pointed to the lack of accreditation bodies to certify quality of products and security, while with IoT (unlike traditional IT systems) you cannot see what you are running “and getting firmware off the device to reverse build is pretty difficult.”

Hoyle concluded by saying that manufacturers can conform to Wi-Fi standards, but there is no guarantee what you buy today will work tomorrow. Also with so many attack vectors, every part of the stack needs to be considered from layer from device to cloud, and he said that it is rare that IoT manufacturers have the expertise to fully secure a system.

With some time taken out to prepare and present my own research on ransomware (as previously published in Infosecurity’s Q4 issue) , I was unable to get into the standing room only session of Graham Sutherland’s talk on TLS/SSL, but did catch some of David Wind & Christoph Rottermanner’s talk on “Secure (Desktop) Messengers – Usability vs. Security”. The presenters from the University of Applied Sciences in St. Pölten, Austria, spoke on the different builds for communications tools such as WhatsApp and Signal, and in a survey of 28 people to exchange messages to enable a Man in the Middle (MITM) attack, 21 people failed to verify the message while seven succeeded. The presenters explained that showed that enabling a MiTM was “hard to implement”, and they recommended that the term ’Verify’ be changed to ‘show keys’ and ‘accepted key’ so the user knows what is being changed.

In the concluding talk, Rafe Pilling, a senior security researcher working in the SecureWorks Counter Threat Unit (CTU) talked through the modern threat landscape, including the increase in ransomware reflecting the decrease in banking trojans. He also used his talk to debunk the “dark web” as a place where well-organized cyber-criminals work, saying that they often work in small teams in one location and having invested in tools they will not easily go away.

Pointing at organized groups such as Fancy Bear, Shamoon and an investigation it had assisted Forbes on regarding the Voiceless Victims fake NGO, Pilling brought a reality to the end of the conference about the state of offensive cybercrime.

In total, there were around 350 delegates at this conference, which enjoyed a 96% attendance rate having sold out in a week and a half. Despite Storm Doris providing challenging conditions for visiting delegates and speakers to get to Dundee in, this was an excellent event. I first heard of SecuriTay some years ago having been involved in other conferences and there is very little I can fault the organizers on. With this level of expertise in their domain for one day a year, and no shortage of sponsors keen to show their opportunities to the students, the British security scene looks healthy to me.